CVE-2026-50235

Lyrion Music Server 9.2.0 contains a reflected cross-site scripting vulnerability in advanced search parameters that fail to properly sanitize user input before displaying it in search forms. Attackers can inject malicious scripts through unfiltered search parameters to execute arbitrary JavaScri...

CVE-2026-35538

A flaw was found in Roundcube Webmail. Unsanitized IMAP SEARCH command arguments can be exploited by an attacker during mail search. This vulnerability could lead to IMAP injection, allowing an attacker to execute arbitrary IMAP commands, or a Cross-Site Request Forgery CSRF bypass, enabling...

EUVD-2026-18579

An issue was discovered in Roundcube Webmail before 1.5.14 and 1.6.14. Unsanitized IMAP SEARCH command arguments could lead to IMAP injection or CSRF bypass during mail search...

UBUNTU-CVE-2026-35538

An issue was discovered in Roundcube Webmail before 1.5.14 and 1.6.14. Unsanitized IMAP SEARCH command arguments could lead to IMAP injection or CSRF bypass during mail search...

CVE-2020-8893

An issue was discovered in MISP before 2.4.121. The Galaxy view contained an incorrectly sanitized search string in app/View/Galaxies/view.ctp...

CVE-2025-32388 SvelteKit allows XSS via tracked search_params

SvelteKit is a framework for rapidly developing robust, performant web applications using Svelte. Prior to 2.20.6 , unsanitized search param names cause XSS vulnerability. You are affected if you iterate over all entries of event.url.searchParams inside a server load function. Attackers can explo...

CVE-2025-32388 SvelteKit allows XSS via tracked search_params

SvelteKit is a framework for rapidly developing robust, performant web applications using Svelte. Prior to 2.20.6 , unsanitized search param names cause XSS vulnerability. You are affected if you iterate over all entries of event.url.searchParams inside a server load function. Attackers can explo...

CVE-2025-32388

CVE-2025-32388 affects SvelteKit prior to v2.20.6 where unsanitized iteration over event.url.searchParams in a server load function enables XSS. The issue is fixed in 2.20.6; upgrade to 2.20.6 or later.

GHSA-6Q87-84JW-CJHP @sveltejs/kit vulnerable to Cross-site Scripting via tracked search_params

Summary Unsanitized search param names cause XSS vulnerability. You are affected if you iterate over all entries of event.url.searchParams inside a server load function. Attackers can exploit it by crafting a malicious URL and getting a user to click a link with said URL. Details SvelteKit tracks...

CVE-2021-25015

The myCred WordPress plugin before 2.4 does not sanitise and escape the search query before outputting it back in the history dashboard page, leading to a Reflected Cross-Site Scripting issue...

WordPress plugin跨站脚本漏洞

WordPress is a set of blogging platforms developed using the PHP language by the WordPress Foundation. The platform supports setting up personal blog sites on servers with PHP and MySQL. A cross-site scripting vulnerability exists in the Tutor LMS plugin for WordPress, versions prior to 1.9.12,...

CVE-2022-22114

In Teedy, versions v1.5 through v1.9 are vulnerable to Reflected Cross-Site Scripting XSS. The “search term" search functionality is not sufficiently sanitized while displaying the results of the search, which can be leveraged to inject arbitrary scripts. These scripts are executed in a victim’s...

CVE-2021-25016

The Chaty WordPress plugin before 2.8.3 and Chaty Pro WordPress plugin before 2.8.2 do not sanitise and escape the search parameter before outputting it back in the admin dashboard, leading to a Reflected Cross-Site Scripting...

JobLister3 SQL injection vulnerabilities

JobLister3 by SkilMatch Staffing Systems, Inc. Multiple SQL injection vulnerabilities http://www.dubdubdub.com/ http://www.skilmatch.com/ The search form filed doesnt strip special characters that have special meanings. A single quote makes the application spit out a number of errors. This is not...